GDPR
GDPR section covers a number of topics:
- Legal Base: You will need to define on what legal base you are collecting data.
- User Documentation : Overview of all documentation for Users
- User GDPR Right Requests : Your register to keep track of End-Users requests eg data deletion
- Data Breaches : Your overview of all data breaches
- DPA Overview : Your overview of all Data Process Agreements with (customers, suppliers etc.)
All these components are mandatory and will also be part of the GDPR Assessment
In the overview of Stakeholder & Legal requirements you have probably added a more then once GDPR in relation to your stakeholders. ISO27001 requires you to address all the above topics
Legal Base: You will need to define on what legal base you are collecting personal data.
Please open again your Data Classification Section : for every data source, you will need to ask the question if this data source contains Personal Data Wiki Data Classification For more information on definition what is Personal Data under GDPR. Please check Personal data.
It is possible that you can define multiple Legal Basis for 1 data source.
We advise you, when adding a legal basis, that you will add the name of the data source yourself.
By making use of the “+Add new Field ” feature and add a “Text Field” and name the box Data Source.
In this way you have made a cross link between data classification and Legal Basis.
Please find below more information about the legal base choices.
- Consent: The data subject has freely given consent for their information to be processed for a specific purpose. Tacit consent is not enough. You must be able to demonstrate that you have received valid permission from people to process their personal data. Withdrawing consent should be as easy as giving it. You must also inform the author of this right. After withdrawing the consent, you must stop processing the relevant data. You cannot then use any other basis to process the data.
- Execution of an agreement : You may process Personal Data for the execution of an agreement. For example, recording name and address details to be able to deliver an ordered product to your customer’s home. This data may only be used for that purpose. You may not use this information later to send your customer a newsletter. You need permission again for this.
- Legal obligation: Sometimes you have to record personal data to comply with a legal obligation. An employer must record the personal data of employees and pass it on to, for example, the Tax and Customs Administration. Without the employee’s permission, the data may not be passed on to an organization for which there is no legal obligation. Again permission is required.
- Vital interest: In emergencies, when it comes to health or danger to life, the processing of personal data by care providers may be justified. This basis can only be used if it is really not possible to obtain permission.
- General interest : You may process personal data under this basis if it concerns another legal provision in which the purpose of the processing is also described.
- Legitimate interest: Personal data may be processed to represent a legitimate interest. The “legitimate interest” does not apply if the rights of the persons concerned outweigh. It may be a legitimate interest if there is a relevant and appropriate relationship between an organization and its customers. A legitimate interest may include processing login names and passwords for network security. The organization must be open about its legitimate interest. Data subjects can object to the processing of personal data on the grounds of legitimate interest
When you have chosen your legal basis you will need to add:
- If you are Data Controller or Data Processor. High level rule: if you are B2B, you are data processor, as your customer will decide what the purpose of your product is. In some cases you can be both.
- Add the country that you collect the data and the Data Protection Authority
- https://ec.europa.eu/justice/article-29/structure/data-protection-authorities/index_en.htm use this link for total overview all all data Protection Authorities in Europe.
User Documentation : Overview of all documentation for Users
Use this section to store our lates versions of End-User documentation and keep track of versioning. End-User are consumers – the target subjects of the GDPR. There are a number of End-User Documentation:
- Internal Privacy Policy – specific for your internal organization (team members)
- External Privacy Policy – specific privacy rules for the End-users making use of your product/service
- Cookie Policy – mandatory if you have a Website – explanation about cookies and the reason for use (remember you always will use a minimum set of cookies)
- Terms of Use – specific service rules for the End-user while making use of your product/service
Depending on your product/service you will have end-user documentation in place.
Checklist for your external privacy policy, topics to address:
- your company details
- the purpose of the data capture and legal basis
- what data you collect
- to whom you may pass on the data
- how long you keep the data
- the security you have applied to the recorded personal data
- the right to inspect, correct, delete, and transfer your own data (data portability)
- the right to withdraw consent
- the right to file a complaint
- address how you ask for Consent
Review on a yearly base is needed – add your document and on a yearly base you will review and add small content on the changes made. C-level approvals can be added as evidence.
User GDPR Right Requests : Your register to keep track of End-Users requests eg data deletion
Data rights requests are requests from end-users to make use of one of the GDPR rights: withdraw consent, inspect, correct, delete, and transfer the data (data portability). If you have a B2B product, you will probably not be responsible for the registration of the data rights requests – and your customer wants to stay in charge of that.
However prepare yourself for the request – of your customer – if you will need to execute these rights. You will need to setup an End-user Data Rights Request Procedure – template in the Documentation Kit. This will also be part of the MSA (Master Service Agreement) that you will sign with your customers. The Procedure can be added in this section Procedure/Info.
In any case, if you will receive a request from an End-User of your product/service – this is the section where you register them and add evidence for it – in case the Data Protection Authority will file a request for information.
What to register:
- Request from (name of the End-User)
- Project (or customer)
- Request Date
- The GDPR Right type (drop down list)
- Closed in progress (to remind you)
- End date (fill in when you close)
- Link to tech job (link to ticket of TechTeam, with evidence of eg deletion)
- Make use of extra fields if needed (add evidence)
Data Breaches : Your overview of all data breaches
First you will need to start with defining your Data Breach Procedure – template in Documentation Template Kit. Once finalized – add to this section in Procedure/Info part.
Be careful with classifying an event as a data breach; especially in conversations with clients and team members. Make sure that for all team members it is clear that only the Data Protection Officer (DPO) can classify an event as a data breach. There are strict rules on the definition of Data Breaches – please check link below for Dutch Data Protection Authority (or use the once from other EU countries). https://www.autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/policy_rules_data_breach_notification_obligation.pdf
Once that is being done – the timing for 72 hours reporting to Data Protection Authorities will need to be done. In your SLA or T&C with your customer(s) the timing for communicating data breaches is described.
It is important that for your team – who are in charge of monitoring systems, support tickets – it is clearly defined what is an event, what is an incident and what is a data breach. C-level will always need to be notified in case of data breach, because this can have serious impact on the business and external communication will need to be involved.
In the template Data Breach Procedure, you can find steps to follow in case of data breach.
Per data breach you will document the the process and the DPO is responsible for this. Make sure the improvements defined are also translated in actual Improvements.
Data breaches belong to the overview of Security Metrics so they will be discussed and followed up by ISMS Team during security meetings.
DPA Overview : Your overview of all Data Process Agreements with (customers, suppliers etc.)
In Compleye Online we do not store signed contracts between your organization and other stakeholders, the exception are the DPA’s – Data Process Agreements. As they contain no other confidential information other then data protection rules agreed upon.
We advise in your DPA always to mention that when commercial contract expires, the DPA also will expire, so that you will not have to keep track of end dates for the DPA.
For a small sized B2B companies the DPA can also be part of a commercial contract (MSA/SLA) and therefore not needed to be added to this section. In case there are special agreements made between you and your customer, you will either adopt extra security or privacy activities as your own, or mention them in Global Impact section.
If you do sign separate DPAs with your customers, partners and/or suppliers. you can file them here and keep track of special articles – or keep track of closing dates of these contracts (by added extra fields).
Make sure that the template is part of your Contracts Overview
Type of DPA : you can add the name of the template (eg supplier, partner, customer)
Contract Party : name of other company
Remarks : add eg content that is not part of template – additional agreements
Date Signed : closing date
And add the actual DPA as evidence
Use extra fields if needed, if you want to keep track of additional information.
Legal Basis – Add New
| Field | Value / Description | Example |
| Legal Basis | Select from the drop down menu the legal basis that you apply to your organisation | consent |
| Role | Select a button field – If you are Data Controller, Data Processor or both. High level rule: if you are B2B, you are data processor, as your customer will decide what the purpose of your product is. In some cases you can be both. | data controller |
| Country of data collection | free text field – write name of the country | the Netherlands |
| Data Protection Authority | free text field | Dutch Data Protection Authority |
User Documentation – Add new
| Field | Value / Description | Example |
| Type of End User Document | Select from the drop down menu the type of end user document you would like to list | Internal Privacy Policy |
| Languages | free text field – in which languages is the documentation published | Dutch, English |
| Remarks | free text field – any additional notes | none |
User GDPR Rights Request – Add new
| Field | Value / Description | Example |
| Request from | free text field – from which party/customer/supplier is the request coming from | supplier |
| Project | free text field – area of business the request is coming from | SuperCool Fremium 2022 |
| Request date | calendar – select the date the request came in | 1st of February 2022 |
| Status | select the button – request is in progress or closed | closed |
| End Date | calendar – select the date the request was closed | 2nd of February 2022 |
| Link to tech job | free text field to paste the link related to the request |
Data Breaches – Add new
| Field | Value / Description | Example |
| Data breach description | free text field | Hacker attack |
| Date | calendar – select the date that the breach incident took place | 3rd of May 2020 |
| Data breach report link | free text field – add the link + upload a document | |
| How it was handled | free text field | within 18 hours evaluation with customer, within 72 hours reported to authorities |
| Improvements made | free text field | automated monitor procedure |
| Status | select the button – data breach handling is in progress or closed | in progress |
DPA Overview – Add new
| Field | Value / Description | Example |
| Type | free text field – you can add the name of the template (eg supplier, partner, customer) | Supplier DPA |
| Contract party | free text field – name of other company | Blowaway |
| Remarks | free text field – add eg content that is not part of the template – additional agreement for example | Used our own template |
| Date signed | calendar – select the date of the closing date | 11th July 2021 |
| DPA documents | add the actual DPA as evidence | |
| Use additional field if needed |
